mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-24 21:45:21 +00:00
security_selinux: Set and restore /dev/sgx_* labels
For SGX type of memory, QEMU needs to open and talk to /dev/sgx_vepc and /dev/sgx_provision files. But we do not set nor restore SELinux labels on these files when starting a guest. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
parent
a50e6f649b
commit
ed6b8a30b9
@ -47,9 +47,6 @@
|
|||||||
VIR_LOG_INIT("security.security_dac");
|
VIR_LOG_INIT("security.security_dac");
|
||||||
|
|
||||||
#define SECURITY_DAC_NAME "dac"
|
#define SECURITY_DAC_NAME "dac"
|
||||||
#define DEV_SEV "/dev/sev"
|
|
||||||
#define DEV_SGX_VEPC "/dev/sgx_vepc"
|
|
||||||
#define DEV_SGX_PROVISION "/dev/sgx_provision"
|
|
||||||
|
|
||||||
typedef struct _virSecurityDACData virSecurityDACData;
|
typedef struct _virSecurityDACData virSecurityDACData;
|
||||||
struct _virSecurityDACData {
|
struct _virSecurityDACData {
|
||||||
|
@ -23,6 +23,10 @@
|
|||||||
#include "domain_conf.h"
|
#include "domain_conf.h"
|
||||||
#include "vircommand.h"
|
#include "vircommand.h"
|
||||||
|
|
||||||
|
#define DEV_SEV "/dev/sev"
|
||||||
|
#define DEV_SGX_VEPC "/dev/sgx_vepc"
|
||||||
|
#define DEV_SGX_PROVISION "/dev/sgx_provision"
|
||||||
|
|
||||||
typedef struct _virSecurityManager virSecurityManager;
|
typedef struct _virSecurityManager virSecurityManager;
|
||||||
|
|
||||||
typedef enum {
|
typedef enum {
|
||||||
|
@ -1577,10 +1577,21 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,
|
|||||||
return -1;
|
return -1;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
||||||
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
|
if (!seclabel || !seclabel->relabel)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (virSecuritySELinuxSetFilecon(mgr, DEV_SGX_VEPC,
|
||||||
|
seclabel->imagelabel, true) < 0 ||
|
||||||
|
virSecuritySELinuxSetFilecon(mgr, DEV_SGX_PROVISION,
|
||||||
|
seclabel->imagelabel, true) < 0)
|
||||||
|
return -1;
|
||||||
|
break;
|
||||||
|
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -1607,9 +1618,18 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr,
|
|||||||
ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
|
ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
||||||
|
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
|
if (!seclabel || !seclabel->relabel)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
ret = virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_VEPC, true);
|
||||||
|
if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true) < 0)
|
||||||
|
ret = -1;
|
||||||
|
break;
|
||||||
|
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
|
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
case VIR_DOMAIN_MEMORY_MODEL_NONE:
|
||||||
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
case VIR_DOMAIN_MEMORY_MODEL_LAST:
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user